VMware Carbon Black Workload User Guide for Security Administrators

VMware Carbon Black Workload Overview

VMware Carbon Black Workload provides vulnerability assessment and inventory management for workloads hosted on vSphere, VMware Cloud and AWS. The Carbon Black Workload vulnerability solution provides shared information on vulnerabilities that is available in Carbon Black Cloud as well as in the native vCenter administration client.

This document provides the Security administrator with a foundational body of knowledge concerning the Carbon Black Cloud and how it is utilized in the overall Carbon Black Cloud Workload architecture.

 

Section 1: Introduction to Cloud Workload Protection

VMware Carbon Black Workload provides vulnerability assessment and inventory management for workloads hosted on vSphere. The Carbon Black Workload vulnerability solution provides shared information on vulnerabilities that is available in Carbon Black Cloud as well as in the native vCenter administration client. Workload protection capabilities are fully integrated into the world’s leading cloud management platform for complete data center visibility and protection. The solution combines vSphere and VMware Carbon Black Cloud in a purpose-built, operationally simple solution with minimal overhead and performance impact.

Carbon Black Cloud Workload is the only vSphere vCenter workload protection platform for enterprise virtualization and security teams that delivers the most secure virtual infrastructure, while also providing the same visibility and capabilities within the public cloud as well.

This powerful solution reduces the attack surface by giving Infrastructure, DevOps, and Security teams visibility into the operating system and application vulnerabilities right from within the vCenter Management plane as well as within the Carbon Black Cloud Management Console.

Cloud Workload Protection Architecture

A Carbon Black plug-in within vCenter allows for a shared truth on vulnerabilities and risk for those residing in vSphere/infrastructure as well as team members more focused on security or the Carbon Black Cloud console. Through this unique approach, we can eliminate the trade-off between security and operational simplicity by providing a single source of truth for Infrastructure and Security teams to accelerate response to critical vulnerabilities and attacks, while enabling collaboration and reducing friction. The Carbon Black Workload Plug-in provides deep visibility into your data center inventory and end-to-end life-cycle management for the components.

VMware Carbon Black Workload contains two Carbon Black Cloud components:

  • Carbon Black Workload Plug-in in vCenter
  • Carbon Black Cloud Management Console
     

For further information on the solution architecture reference the following resource: https://carbonblack.vmware.com/resource/carbon-black-cloud-workload-protection-architecture

Section 2: What is Carbon Black Cloud?

The Carbon Black Cloud is a cloud-native endpoint protection platform (EPP) that provides what teams need to secure endpoints all using a single lightweight sensor and an easy-to-use console. Customers can utilize the real-time behavioral analytics at the core of the platform. Leveraging the power of the cloud, it analyzes more than 500B events per day across millions of global endpoints, helping teams stay ahead of emerging attacks and react with maximum efficiency when they do occur.

The VMware Carbon Black Cloud is a security solution suite comprised of the following products that may be used together or alone utilizing a single lightweight sensor and the easy-to-use cloud-based console:

  • Endpoint Standard: Next-generation antivirus (NGAV) and endpoint detection and response (EDR) solution. Carbon Black Endpoint Standard provides multiple layers of prevention to prevent/detect a variety of attacks such as known malware, non-malware, and fileless. 
  • Enterprise EDR: Enables advanced threat-hunting with out-of-the-box watchlists curated by Carbon Black and third parties like MITRE as well as the capabilities for creating and tracking customized indicators of compromise (IOCs) 
  • Audit & Remediation: Allows admins to gather current-state information across software, hardware, and network variables, at scale across your environment leveraging osquery schema.
  • Workload: Allows admins to reduce the attack surface and protect critical assets with advanced security purpose-built for workloads. Increase visibility across your environment and simplify operations for IT and security.

Section 3: Walkthrough of the Carbon Black Cloud

The following section details the basics of accessing and using the Carbon Black Cloud. For more a more in-depth walkthrough of the CBC please see the “Endpoint Standard Hands-On Lab” located here: https://labs.hol.vmware.com/HOL/catalogs/lab/10096

Accessing the Carbon Black Cloud

The Carbon Black Cloud console is web-based with one lightweight sensor deployed to endpoints. The single sensor allows for consolidation across AV, EDR, vulnerability, and security auditing technologies. No stand-up or maintenance of on-premises servers is required – offloading work from infrastructure and security teams. 

The console is accessed through a supported web browser: 

  • Windows: Chrome, Edge, Firefox 
  • MacOS: Chrome, Firefox, Safari 

Login to Carbon Black Cloud: 

  • URL: https://defense-prod05.conferdeploy.net/
  • User: (listed in text file Carbon_Black_Cloud_Malware_Credentials.txt on the Carbon Black Malware desktop)  
  • Password: (listed in text file Carbon_Black_Cloud_Malware_Credentials.txt on the Carbon Black Malware desktop)

On login you will land on the CBC Dashboard. The main navigation menu is located on the left-hand side of the web console.  

Graphical user interface, application</p> <p>Description automatically generated

Figure 1: CBC Dashboard | The dashboard gives a high-level overview of your environment with interactive widgets

Alert Walkthrough

The Alerts page displays events of known threats or potential risks to your environment. To navigate to the Alerts page, select Alerts from the left-hand menu. 

Graphical user interface, application</p> <p>Description automatically generated

Regularly review alerts to determine whether action needs to be taken or policies need to be modified. Alert notifications can be setup to email designated administrators when an alert occurs. Alerts can also be forward to a SIEM with the Carbon Black open API (https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/).

An alert will show: 

  • Status – Run status and policy status
  • Run Status: process ran/did not run
  • Policy status: policy applied/no policy applied
  • First Seen – What time the events of alerts first occurred 
  • Reason – High level overview of the reason the alert occurred 
  • S(everity) – Numerical score from 1 to 10, 1 being lowest severity and 10 being highest 
  • T(arget Value) – Acts as a multiplier for the severity score; target value can be assigned per policy group 
  • Device – Device that was alerted upon 

Alert severity indicates the relative importance of an alert and acts as a prioritization assistant (one being lowest severity and ten being highest, mission critical). The following describe the ranges of severity:

  • Severity 1-2: Activities such as port scans, malware drops, changes to system configuration files, persistence, etc. 
  • Severity 3-5: Activities such as malware running, generic virus-like behavior, monitoring user input, potential memory scraping, password theft, etc. 
  • Severity 6-10: Activities such as reverse command shells, process hollowing, ransomware, destructive malware, hidden processes and tool sets, applications that talk on the network but should not, etc. 
  • Filters are available on the left-hand. This can be used to filter into alerts of interest by device, severity, etc. 

To view additional information about an alert, click the chevron to expand. The Alert Details show additional information about the processes, behaviors (or TTP’s – Tactics, Techniques, and Procedures), recommended steps for remediation, and notes/tags. 

Graphical user interface, text, application</p> <p>Description automatically generated

Figure 2: CBC Alerts – Alert Details | Alert Details show additional information for further investigation into malicious/suspicious events 

The Techniques section in Alert Details shows what behaviors, or TTPs (tactics, techniques, and procedures), were exhibited by the specified process. TTP’s are color coded, with red being a higher severity. TTP’s can be clicked into to view further information about the TTP and what it means. Carbon Black also correlates MITRE techniques to TTPs which are also displayed. Clicking a MITRE technique will take you directly to the MITRE page correlating to that technique. 

An alert visualization is generated for all alerts that occur. The visualization provides an easy to understand and digest view of what occurred during the attack sequence. To view an alert visualization, called the Alert Triage, click the tree icon) in the upper right of alert details.

Graphical user interface, text, application</p> <p>Description automatically generated

Figure 3: CBC Alerts | Quickly pivot to the Alert Triage (tree icon), investigate, or additional actions with linked buttons  

The Alert Triage displays a tree containing events associated with the alert. A node represents an individual process or event. You can click a node to view additional process details on the right including reputation, TTPs (behaviors), command line used, and other information. The Alert Triage provides actionable information about the events that occurred during an alert: including where prevention was applied, source, and what the attacker may have been attempting.

Diagram</p> <p>Description automatically generated

Figure 4: CBC Alerts – Alert Triage| Alert Triage shows alert in visual format; each node can be selected for more details on right 

The alert can be viewed in a log level format as well for richer, process level behavioral information such as: command line, parent command line, if the device was on or off-premises at the time of the event, etc. These logs can be viewed in the Enriched Events section, which you can find by scrolling down to the bottom of the Alert Triage page.  

Graphical user interface, text, application, Teams</p> <p>Description automatically generated

Figure 5: CBC Alerts – Enriched Events | Click the chevron next to an enriched event to view additional details  

Policies Walkthrough

The CBC next-gen AV and EDR solution offers flexible Policies. Policies determine preventative rules as well as sensor functionality. Carbon Black gives administrators control and visibility into how prevention works in your environment. 

Each endpoint with a sensor installed will belong to a single policy. A policy defines how the sensor should behave on the endpoint, blocking/preventative rules, exclusions and allowances, and other configurations. 

The Standard policy group comes OOTB (alongside the Monitored and Advanced policies) and is meant to act as a day-one, production viable policy that gives additional preventative layers beyond a traditional AV. 

To view information about Policies and the Standard Policy Rules, navigate using the main left-hand menu to Enforce -> Policies. On the ‘Prevention’ tab you can see rules associated with the selected policy group. 

Graphical user interface, text, application</p> <p>Description automatically generatedFigure 6: CBC Policies- Prevention Rules | Carbon Black offers OOTB production viable policies for day-one use while giving admins visibility and customizability into prevention/allowances

Review the rules within the Standard policy including rules for: 

  • Process: Known Malware 
  • Process (At Path): Excel, Invokes a command interpreter
  • Process: Not Listed, Performs ransomware-like behavior 

Audit and Remediation Walkthrough

To gather stateful information which is correlated to vulnerabilities another part of the Carbon Black Solution suite is leveraged called Audit and Remediation. Audit and Remediation allows administrators to ask questions on the environment across hardware, software, and network variables at scale. Cloud Workload Protection customers have access to the full Audit and Remediation solution beyond its use in vulnerability assessment. This portion of the experience will walk through using Audit and Remediation.


Using the Carbon Black Cloud console.

  1. On the left-hand navigation menu click Live Query to expand the menu
  2. Click New Query menu option

Graphical user interface, application</p> <p>Description automatically generated

Numerous queries are pre-built and come OOTB with Audit and Remediation - called recommended queries. Pre-built queries full under IT Hygiene, Vulnerability Management, Threat Hunting, and Compliance use cases. Recommended queries can be filtered by selecting a use case, filtering by applicable OS, or searching for keyword(s).

Graphical user interface, website</p> <p>Description automatically generated

Queries can be run on a one-off basis or scheduled to run automatically (daily, weekly, monthly, etc.). Query results can be viewed in the console or exported.

  1. Click Vulnerability Management to review queries falling under this use case

 

Vulnerabilities Walkthrough

If you are an existing Carbon Black Cloud customer using the next-generation AV, EDR, container security, or other solution the Cloud Workload Protection solution lives in the same cloud-based console. CWP vulnerability information lives in the Vulnerabilities tab.

  1. On the left side navigation menu, click "Harden" to expose menu options
  2. Click "Vulnerabilities" to view vulnerability information

Graphical user interface, application</p> <p>Description automatically generated

CWP gives teams a shared truth of risk, minimizing friction between teams such as infrastructure and security. Teams have the same visibility and understanding of vulnerabilities whether they are viewing information in the Carbon Black Cloud or within the vCenter plug-in.

 

Graphical user interface, text, application, email</p> <p>Description automatically generated

The Vulnerabilities page displays vulnerabilities present in your workload environment.

An overview of vulnerabilities is shown at the top of the page - including filters based on vulnerability severity. Severity scoring allows for administrators to understand and mitigate risks in a prioritized, realistic method. Higher severity scores indicate that the vulnerability should be prioritized. There are four severity categories… 

  • Low: Score from 0.0 – 3.9 
  • Moderate: Score from 4.0 – 6.9 
  • Important: Score from 7.0 – 8.9 
  • Critical: Score from 9.0 – 10.0  

As a Security administrator, you want to have visibility of known vulnerabilities in your environment to understand your security posture and schedule maintenance windows for patching and remediation. With the help of vulnerability assessment, you can proactively minimize the risk in your environment. 

Vulnerabilities can be viewed in Asset View or Vulnerability View:

  • Asset View displays workloads covered by CWP and allows you to look at all vulnerabilities affecting the workload of interest. 
  • Vulnerability View displays all vulnerabilities based on type (Windows OS, Windows App, etc.).

Carbon Black investigates vulnerabilities related to:

  • Operating System (OS) of the virtual machine.
    • Windows OS: Displays OS-level vulnerabilities for Windows VMs. The system looks for OS details and the security patches applied on each VM. When the security patch associated with the vulnerability is not applied, the VM is flagged as vulnerable.
    • Linux OS: Displays OS-level vulnerabilities for Linux VMs. The system looks for OS details with the list of all installed packages. The system determines the vulnerable packages installed on the VM and reports the CVEs against those packages.
  • Applications are installed on the virtual machine.
    • Windows Apps: Displays application-level vulnerabilities for the Windows VMs.
    • Linux Apps: Displays application-level vulnerabilities for the Linux VMs.

How Carbon Black Measures Risk

Carbon Black Cloud partners with Kenna Security to leverage the largest database of vulnerability, exploit, and event threat data in the industry. This data is distilled into three main measures of risk:

  • Active Internet Breach: Presence of near-real-time exploitation.
  • Malware Exploitable: Availability of an exploit module in a weaponized exploit kit.
  • Easily Exploitable: Availability of a recorded exploit.

There are metrics defined for Common Vulnerability Scoring System (CVSS). A few of the metrics are about the attack method itself, whereas the others depend on how the application assesses impact - the direct consequence of a successful exploit. To learn more about CVSS, visit https://www.first.org/cvss/specification-document.

Risk Score

Every vulnerability is assigned a risk score of between 0.0 (no risk) and 10.0 (maximum risk). The risk score range and severity are defined as follows.

Score Range

Severity

0.0–3.9

Low

4.0–6.9

Moderate

7.0–8.9

Important

9.0–10.0

Critical

To learn more about how the risk is calculated, refer to the Kenna Security documentation available at https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-whitepaper-understanding-the-kenna-security-vulnerability-risk-score.pdf.

For a more guided experience on using the Carbon Black Cloud for vulnerabilities see Module 4 of the CWP Hands-on Lab simulation: https://labs.hol.vmware.com/HOL/catalogs/lab/10212

 

Summary and Additional Resources

This user guide covers the VMware Carbon Black Cloud Workload Protection solution using the Carbon Black Cloud console.

Additional Resources

Contact  

Carbon Black Endpoint Standard NGAV/EDR

Carbon Black Workload Protection

Carbon Black TestDrive Experiences

Container Security: https://kb.vmtestdrive.com/hc/en-us/articles/1260803985870-Securing-Modern-Applications-with-CBC-Container-Security

Changelog

The following updates were made to this guide.

Date 

Description of Changes

2022-02

Initial publication

About the Author and Contributors

Dale McKay is a technology evangelist and strategist with deep expertise in security, virtualization, and networking. He has extensive knowledge of a variety of technologies for meeting the strategic and tactical needs of clients. He has strong real-world, hands-on skills in cybersecurity, with his focus being on implementing policies and operating procedures that help his customers address their cybersecurity demands. He is an experienced leader in determining client needs, delivering solutions, and building relationships.

Dale McKay, Senior Technical Marketing Architect, Network and Advanced Security Business Group, VMware

Filter Tags

Carbon Black Cloud Workload Document Deployment Considerations Intermediate Deploy